release: v0.17.0 — multi-file tabs + integration drawer + agent permissions + S3 backups

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: DavidsonGomes

CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.17.0] - 2026-04-12
+
+### Added
+
+- **Multi-file tabs in Workspace** — open multiple files simultaneously with a tab bar. Tabs persist in localStorage across page refreshes. Per-tab dirty state, editor content, and mode tracking. Middle-click to close, unsaved changes confirmation.
+- **Integration config drawer** — integration cards are now clickable, opening a side drawer with integration-specific form fields (masked API keys with reveal toggle). Save writes to `.env` with safe merge. OAuth integrations show "Connect" button instead. Backend test endpoint (`POST /api/integrations/<name>/test`) with real connectivity tests for Stripe, Omie, Evolution API, and Todoist.
+- **Agent-level permissions** — new `agent_access` field on roles with 4 modes: all, by layer (business/engineering), per-agent selection, or none. Locked agents appear with reduced opacity + lock icon in the dashboard. Direct URL access to locked agents shows "Acesso restrito" page. 38 agents mapped across business (17) and engineering (21) layers.
+- **S3 backup browser** — new "Remote Backups (S3)" section on the Backups page lists existing backups in the configured S3 bucket. Download directly from S3. New backend endpoints `GET /api/backups/s3` and `GET /api/backups/s3/<key>/download`.
+- **Backup storage provider config** — collapsible "Storage Provider" panel on the Backups page with S3 Bucket, Access Key, Secret Key, and Region fields (masked with reveal toggle).
+- **Copy file path button** — click "Copiar" in the file path bar to copy the full path to clipboard.
+
+### Changed
+
+- **Tree view preserves state on refresh** — when page reloads, all ancestor folders of the selected file auto-expand to restore the navigation context.
+- **Config page removed** — redundant with the new Integration drawer. `.env` vars for dashboard credentials (DASHBOARD_API_TOKEN) are no longer editable from the frontend (security improvement).
+- **Logo consistency** — Login and Setup pages now use the official `EVO_NEXUS.png` logo instead of a generic inline SVG.
+
+### Fixed
+
+- **DB migration for agent_access** — auto-migrate adds `agent_access_json` column to existing SQLite databases on startup (ALTER TABLE before seed_roles).
+
 ## [0.16.0] - 2026-04-12
 
 ### Added

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evoapi/evo-nexus",
-  "version": "0.16.0",
+  "version": "0.17.0",
   "description": "Unofficial open source toolkit for Claude Code — AI-powered business operating system",
   "keywords": [
     "claude-code",

dashboard/backend/app.py

@@ -48,6 +48,19 @@
     db.create_all()
     db.session.execute(db.text("PRAGMA journal_mode=WAL"))
     db.session.commit()
+
+    # --- Auto-migrate: add new columns to existing tables ---
+    import sqlite3 as _sqlite3
+    _db_path = app.config["SQLALCHEMY_DATABASE_URI"].replace("sqlite:///", "")
+    _conn = _sqlite3.connect(_db_path)
+    _cur = _conn.cursor()
+    _existing_cols = {row[1] for row in _cur.execute("PRAGMA table_info(roles)").fetchall()}
+    if "agent_access_json" not in _existing_cols:
+        _cur.execute("ALTER TABLE roles ADD COLUMN agent_access_json TEXT DEFAULT '{\"mode\": \"all\"}'")
+        _conn.commit()
+    _conn.close()
+    # --- End auto-migrate ---
+
     seed_roles()
     seed_systems()
     # Sync trigger definitions from YAML config

dashboard/backend/models.py

@@ -92,14 +92,60 @@ def to_dict(self):
     "mempalace": ["view", "manage"],
 }
 
+# Agent layer mapping (file-stem names)
+AGENT_LAYERS: dict[str, str] = {
+    # Business layer
+    "clawdia-assistant": "business",
+    "flux-finance": "business",
+    "atlas-project": "business",
+    "kai-personal-assistant": "business",
+    "pulse-community": "business",
+    "sage-strategy": "business",
+    "pixel-social-media": "business",
+    "nex-sales": "business",
+    "mentor-courses": "business",
+    "lumen-learning": "business",
+    "oracle": "business",
+    "mako-marketing": "business",
+    "aria-hr": "business",
+    "zara-cs": "business",
+    "lex-legal": "business",
+    "nova-product": "business",
+    "dex-data": "business",
+    # Engineering layer
+    "apex-architect": "engineering",
+    "echo-analyst": "engineering",
+    "compass-planner": "engineering",
+    "raven-critic": "engineering",
+    "lens-reviewer": "engineering",
+    "zen-simplifier": "engineering",
+    "vault-security": "engineering",
+    "bolt-executor": "engineering",
+    "hawk-debugger": "engineering",
+    "grid-tester": "engineering",
+    "probe-qa": "engineering",
+    "oath-verifier": "engineering",
+    "trail-tracer": "engineering",
+    "flow-git": "engineering",
+    "scroll-docs": "engineering",
+    "canvas-designer": "engineering",
+    "prism-scientist": "engineering",
+    "helm-conductor": "engineering",
+    "mirror-retro": "engineering",
+    "scout-explorer": "engineering",
+    "quill-writer": "engineering",
+}
+
 # Default permissions for built-in roles (used when seeding)
 BUILTIN_ROLES = {
     "admin": {
         "description": "Full access to all resources",
         "permissions": {r: actions[:] for r, actions in ALL_RESOURCES.items()},
+        "agent_access": {"mode": "all"},
     },
     "operator": {
         "description": "Can view and execute, but not manage users or audit",
+        "agent_access": {"mode": "all"},
         "permissions": {
             "chat": ["view", "execute"],
             "services": ["view", "execute"],
@@ -121,6 +167,7 @@ def to_dict(self):
     },
     "viewer": {
         "description": "Read-only access to dashboards",
+        "agent_access": {"mode": "none"},
         "permissions": {
             "workspace": ["view"],
             "agents": ["view"],
@@ -319,6 +366,7 @@ class Role(db.Model):
     name = db.Column(db.String(50), unique=True, nullable=False)
     description = db.Column(db.String(200))
     permissions_json = db.Column(db.Text, nullable=False, default="{}")
+    agent_access_json = db.Column(db.Text, nullable=True, default='{"mode": "all"}')
     is_builtin = db.Column(db.Boolean, default=False)
     created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
 
@@ -333,12 +381,25 @@ def permissions(self) -> dict:
     def permissions(self, value: dict):
         self.permissions_json = json.dumps(value)
 
+    @property
+    def agent_access(self) -> dict:
+        try:
+            result = json.loads(self.agent_access_json) if self.agent_access_json else None
+            return result if result else {"mode": "all"}
+        except (json.JSONDecodeError, TypeError):
+            return {"mode": "all"}
+
+    @agent_access.setter
+    def agent_access(self, value: dict):
+        self.agent_access_json = json.dumps(value)
+
     def to_dict(self):
         return {
             "id": self.id,
             "name": self.name,
             "description": self.description,
             "permissions": self.permissions,
+            "agent_access": self.agent_access,
             "is_builtin": self.is_builtin,
             "created_at": self.created_at.strftime("%Y-%m-%dT%H:%M:%S.%fZ") if self.created_at else None,
         }
@@ -366,13 +427,19 @@ def seed_roles():
                 if resource not in current:
                     current[resource] = actions
             existing.permissions = current
+
+            # --- Migração agent_access: set default for existing roles ---
+            if existing.agent_access_json is None:
+                existing.agent_access = config.get("agent_access", {"mode": "all"})
+            # --- fim migração ---
         else:
             role = Role(
                 name=name,
                 description=config["description"],
                 is_builtin=True,
             )
             role.permissions = config["permissions"]
+            role.agent_access = config.get("agent_access", {"mode": "all"})
             db.session.add(role)
     db.session.commit()
 
@@ -407,11 +474,43 @@ def get_role_permissions(role_name: str) -> dict:
     return {}
 
 
+def get_role_agent_access(role_name: str) -> dict:
+    """Get agent_access config for a role from DB, fallback to builtin defaults."""
+    role = Role.query.filter_by(name=role_name).first()
+    if role:
+        return role.agent_access
+    builtin = BUILTIN_ROLES.get(role_name)
+    if builtin:
+        return builtin.get("agent_access", {"mode": "all"})
+    return {"mode": "all"}
+
+
 def has_permission(role: str, resource: str, action: str) -> bool:
     perms = get_role_permissions(role)
     return action in perms.get(resource, [])
 
 
+def has_agent_access(role_name: str, agent_name: str) -> bool:
+    """Check if a role has access to a specific agent."""
+    if role_name == "admin":
+        return True
+    config = get_role_agent_access(role_name)
+    mode = config.get("mode", "all")
+    if mode == "all":
+        return True
+    if mode == "none":
+        return False
+    if mode == "selected":
+        agents = config.get("agents", [])
+        return agent_name in agents
+    if mode == "layer":
+        layers = config.get("layers", [])
+        agent_layer = AGENT_LAYERS.get(agent_name)
+        return agent_layer is not None and agent_layer in layers
+    # Unknown mode — default to all
+    return True
+
+
 def audit(user, action: str, resource: str = None, detail: str = None):
     """Log an action to the audit trail."""
     from flask import request

dashboard/backend/routes/agents.py

@@ -1,7 +1,9 @@
 """Agents endpoint — list agents, their config and memory."""
 
 from flask import Blueprint, jsonify, abort, Response
+from flask_login import login_required, current_user
 from routes._helpers import WORKSPACE, safe_read, parse_frontmatter, file_info
+from models import has_agent_access
 
 bp = Blueprint("agents", __name__)
 
@@ -17,10 +19,12 @@ def _count_memory(name: str) -> int:
 
 
 @bp.route("/api/agents")
+@login_required
 def list_agents():
     if not AGENTS_DIR.is_dir():
         return jsonify([])
     agents = []
+    role = current_user.role if current_user.is_authenticated else "viewer"
     for f in sorted(AGENTS_DIR.iterdir()):
         if f.suffix.lower() == ".md" and f.is_file():
             content = safe_read(f) or ""
@@ -31,6 +35,7 @@ def list_agents():
                 "description": fm.get("description", ""),
                 "memory_count": _count_memory(name),
                 "custom": name.startswith("custom-"),
+                "locked": not has_agent_access(role, name),
             }
             if fm.get("color"):
                 entry["color"] = fm["color"]

dashboard/backend/routes/auth_routes.py

@@ -4,7 +4,7 @@
 from functools import wraps
 from flask import Blueprint, request, jsonify, abort
 from flask_login import login_user, logout_user, login_required, current_user
-from models import db, User, AuditLog, Role, has_permission, audit, needs_setup, get_role_permissions, ALL_RESOURCES
+from models import db, User, AuditLog, Role, has_permission, audit, needs_setup, get_role_permissions, get_role_agent_access, ALL_RESOURCES, AGENT_LAYERS
 
 bp = Blueprint("auth", __name__)
 
@@ -188,9 +188,11 @@ def logout():
 @login_required
 def me():
     perms = get_role_permissions(current_user.role)
+    agent_access = get_role_agent_access(current_user.role)
     return jsonify({
         "user": current_user.to_dict(),
         "permissions": perms,
+        "agent_access": agent_access,
     })
 
 
@@ -340,6 +342,14 @@ def list_resources():
     return jsonify(ALL_RESOURCES)
 
 
+@bp.route("/api/roles/agent-layers")
+@login_required
+@require_permission("users", "view")
+def list_agent_layers():
+    """Return AGENT_LAYERS mapping for frontend grouping."""
+    return jsonify(AGENT_LAYERS)
+
+
 @bp.route("/api/roles", methods=["POST"])
 @login_required
 @require_permission("users", "manage")
@@ -358,6 +368,7 @@ def create_role():
 
     role = Role(name=name, description=description)
     role.permissions = permissions
+    role.agent_access = data.get("agent_access", {"mode": "all"})
     db.session.add(role)
     db.session.commit()
 
@@ -376,6 +387,8 @@ def update_role(role_id):
         role.description = data["description"]
     if "permissions" in data:
         role.permissions = data["permissions"]
+    if "agent_access" in data:
+        role.agent_access = data["agent_access"]
     if "name" in data and not role.is_builtin:
         new_name = data["name"].strip().lower()
         if new_name != role.name and Role.query.filter_by(name=new_name).first():

dashboard/backend/routes/backups.py

@@ -158,6 +158,66 @@ def delete_backup(filename):
     return jsonify({"status": "deleted"})
 
 
+@bp.route("/api/backups/s3")
+def list_s3_backups():
+    """List backup files stored in S3."""
+    denied = _require("config", "view")
+    if denied:
+        return denied
+
+    bucket = os.environ.get("BACKUP_S3_BUCKET")
+    if not bucket:
+        return jsonify({"backups": [], "error": "S3 not configured"})
+
+    try:
+        import boto3
+    except ImportError:
+        return jsonify({"backups": [], "error": "boto3 not installed"})
+
+    try:
+        s3 = boto3.client("s3")
+        prefix = os.environ.get("BACKUP_S3_PREFIX", "")
+        response = s3.list_objects_v2(Bucket=bucket, Prefix=prefix)
+        backups = []
+        for obj in response.get("Contents", []):
+            key = obj["Key"]
+            if not key.endswith(".zip"):
+                continue
+            backups.append({
+                "key": key,
+                "filename": key.rsplit("/", 1)[-1],
+                "size": obj["Size"],
+                "modified": obj["LastModified"].isoformat(),
+            })
+        backups.sort(key=lambda x: x["modified"], reverse=True)
+        return jsonify({"backups": backups, "total": len(backups)})
+    except Exception as e:
+        return jsonify({"backups": [], "error": str(e)})
+
+
+@bp.route("/api/backups/s3/<path:key>/download")
+def download_s3_backup(key):
+    """Download a backup from S3 to local backups dir, then serve it."""
+    denied = _require("config", "manage")
+    if denied:
+        return denied
+
+    bucket = os.environ.get("BACKUP_S3_BUCKET")
+    if not bucket:
+        return jsonify({"error": "S3 not configured"}), 400
+
+    try:
+        import boto3
+        s3 = boto3.client("s3")
+        filename = key.rsplit("/", 1)[-1]
+        local_path = BACKUPS_DIR / filename
+        BACKUPS_DIR.mkdir(parents=True, exist_ok=True)
+        s3.download_file(bucket, key, str(local_path))
+        return send_file(str(local_path), as_attachment=True, download_name=filename)
+    except Exception as e:
+        return jsonify({"error": str(e)}), 500
+
+
 @bp.route("/api/backups/config")
 def backup_config():
     """Return backup configuration (S3 status, etc)."""